Security Testing
Expert configuration review of your Microsoft 365 or Google Workspace tenant — identity, sharing and mail security checked against best practice.
Your Microsoft 365 or Google Workspace tenant holds your email, your files, your calendars and your identities — which makes it the single most attacked asset most organisations own. A Microsoft 365 security review (or its Google Workspace equivalent) examines how your tenant is actually configured, against CIS Benchmarks and vendor best practice, before an attacker finds the gap first.
These platforms ship with hundreds of security settings, and the defaults are chosen for adoption, not protection. Our consultants review the areas that decide whether a tenant compromise happens: identity and access — MFA coverage, conditional access, legacy authentication, privileged role sprawl; sharing and collaboration — external sharing defaults, guest access, anonymous links; and mail security — anti-phishing and anti-spoofing controls including SPF, DKIM and DMARC, forwarding rules and transport policies.
Beyond the headline areas, the review examines application permissions and third-party OAuth grants — a quietly growing attack vector — plus device access policies, audit logging coverage and data retention. Findings are prioritised by impact and likelihood, so a disabled audit log or an admin account without MFA is never buried beneath cosmetic observations.
The review is delivered through Sentry: scoped via questionnaire and call, evidence gathered through read-only reviewer access, findings raised as they are identified, and a prioritised report with clear remediation guidance followed by a debrief. Most tenant fixes are configuration changes rather than purchases, which makes this one of the fastest ways to measurably harden your organisation.
A tenant review pairs naturally with our phishing, smishing and vishing assessments — one hardens the platform that receives the attack, the other measures how your people respond to it. And because tenants drift as admins come and go, an annual review with continuous vulnerability management in between keeps the assurance current.
Both major productivity platforms reviewed against CIS Benchmarks and vendor best practice.
MFA coverage, conditional access, legacy authentication and privileged roles — the settings that decide tenant compromises.
External sharing, guest access, SPF, DKIM, DMARC and forwarding rules checked and prioritised.
Third-party application grants reviewed — the attack vector most tenants have never audited.
Most findings are settings changes, not purchases — measurable hardening within days of the debrief.
A short questionnaire and scoping call confirm the platforms, tenants or devices in scope and the standards that matter to you. You receive a clear Statement of Work and your project is created in Sentry.
We arrange read-only access or configuration exports, along with architecture diagrams and relevant policies. Nothing is changed in your environment.
A consultant assesses your configuration against CIS Benchmarks and vendor best practice, prioritising findings by impact and likelihood. Findings are raised in Sentry as they are identified, not weeks later.
You receive a prioritised report with clear remediation guidance and a debrief session with your consultant. Findings stay in Sentry so you can track fixes and compare future reviews.
Straight answers to what prospective clients ask us most.
Identity and access (MFA, conditional access, legacy authentication, privileged roles), sharing and guest access, mail security (including SPF, DKIM and DMARC), application permissions and OAuth grants, device policies and audit logging — prioritised by real-world impact.
Read-only reviewer roles — both Microsoft 365 and Google Workspace provide built-in roles suitable for exactly this. We never need write access, and we guide you through granting and revoking it.
Platform scores are a useful signal, but they weight settings generically and cannot judge your context. An expert review prioritises what matters for your organisation, catches issues scores miss — such as risky OAuth grants and forwarding rules — and gives you defensible evidence for auditors.
Annually as a baseline, and after significant changes such as migrations, mergers or admin turnover. Tenants drift constantly, so many clients pair the annual review with our continuous vulnerability management service.
Get a fixed-scope quote, usually the same working day.